Vendor: Data Breach Involved Security Product Vulnerability
Clinical Review Firm: Nearly 135,000 Individuals, Dozens of Health Plans Affected
… Tom Walsh, founder of privacy and security consultancy tw-Security, says that vulnerabilities can also arise in how a user organization configures a product, such as one provided by SonicWall or any other vendor.
“The organization using the product/tool – in this case SonicWall – has a responsibility in how the firewall or tool is configured and managed,” he says. “The exact same firewall – hardware and software – could be configured differently at different organizations. An error in setting up or configuring the firewall could create a vulnerability.”
… Some experts note that the MRIoA incident appears to spotlight a variety of common difficulties with, as well as the critical importance of, effective patch management.
“Patch management can be a challenging, even for organizations that are HITRUST-certified, such as MRIoA,” Walsh says. “It seems like every day there is a newly discovered vulnerability in an application, database, operating system, tool, etc. In many cases, there is a delay between the discovery of the vulnerability and when the vendor releases an update/patch/fix,” he says.
… Walsh suggests the entities subscribe to organizations that provide routine security updates. “The problem is that you have to shift through all of the alerts to find the one or two that may apply to your environment. This is a time-consuming task and not a fun task either.”